microsoft
  • Microsoft has spilled the beans of the last 14 years of its Customer Service and Support.
  • There is no identifying information in the records, but there are case details and customer emails.
  • This type of data would be ideal in the hands of tech support scammers, so people are advised to be careful.

Researcher Bob Diachenko has recently discovered that Microsoft had misconfigured its systems resulting in the exposure of 250 million records. The database entries that were accessible by anyone with a web browser concern Customer Service and Support (CSS) records, and contained conversation logs between the agents and the customers. The records were generated between 2005 and 2019, so if you have contacted Microsoft’s CSS in the past 14 years, the details of your request may have leaked online.

The discovery of the unprotected databases occurred on December 29, 2019, but their indexing on BinaryEdge (search engine) happened the day before. Bob Diachenko reported the discovery to Microsoft and they acted upon the notification almost immediately, securing the databases in 24 hours. It is important to point out that Microsoft’s engineers responded to the researcher and took speedy risk mitigation action although the mess-up was unravelling just before the New Year’s Eve. Still though, this doesn’t alleviate their initial blunder, which has how exposed millions of Microsoft customers.

Each of the 250 million records that were exposed as a result of this incident includes the following information in relation to the customer:

  • Email address
  • IP addresses
  • Location
  • CSS claim details and case description

As for the details that were exposed from Microsoft’s side, these were the following:

  • Support agent email
  • Case number
  • Resolution status
  • Case remarks
  • Confidential internal notes

So, what would the best possible exploitation of customer support records be? Tech support scams of course. While there is no personally identifiable information (PII) in the database, the data that was exposed would still be enough for scammers to contact the customers and pretend they are Microsoft’s support agents. Knowing why you have contacted Microsoft before, the name of the person you talked to, and what your system details are should be enough for skilled scammers to set up a successful hook.

That said, you should be aware of this possibility and be very careful with unsolicited messages that may arrive on your inbox. Remember, a Microsoft support agent would never ask you to hand over your system password, never ask for your payment information, and would never request you to install remote desktop applications like TeamViewer. Above all, a real Microsoft support agent would never proactively contact a user to ask about the fate of an old case, or to inform about a new problem that was supposedly detected by them remotely. If you receive any messages of this type, don’t respond to the sender and just report it to Microsoft.